Botnets on The Run?

Zombies aren't just for horror flicks. There are hundreds of thousands of zombies on the Internet today, coupled into "botnets" that are harnessed by their malevolent overlords to wreak havoc.

The havoc typically involves Distributed Denial of Service (DDoS) type attacks but can also be used to scan other computers and steal personal information.

Killing the zombies, raising them from the ranks of the undead and smashing the botnets is not an easy task, but it is being done, thanks to the work of diligent security researchers.

Lexington, Mass.-based Arbor Networks is among those driving the proverbial silver bullet into the heart of the botnets. The company recently helped smash a botnet operating against sites based in the Netherlands.

Jose Nazario, software and security engineer at Arbor Networks, said that in late February, Arbor received a report of a particular botnet among a set of botnets reports for the previous night. Arbor Networks had been actively monitoring botnet activity for several months at that point.

"We do this to identify the attack sources, to work with others to shut them down, and to attempt to improve the general state of Internet security," Nazario told internetnews.com.

Arbor Networks began tracking the botnet by gaining entry to the IRC network it was using and logging activity.

At the time when Arbor had found it, the authors were busy telling the machines that had connected to download another piece of software and then to leave the IRC bot network. The machines, it turned out, were being "herded" to a new network.

"We suspect that the botnet operators knew that their original network had been discovered and were busy setting up a new one," Nazario said. "Such 'herding' tactics are not uncommon in the botnet world; operators will migrate the bots around to new servers, new channels, all in an effort to maintain their network and to avoid detection."

The new botnet was "decoded" on March 1, 2006, and was linked to a number of DDoS attacks against broadband sites hosted in the Netherlands. Arbor Networks contacted the Dutch Computer Emergency Response Team (CERT) on March 2 with the intelligence it gathered and disabled the botnet.

Nazario noted that disabling the botnet was relatively easy.

Arbor Networks had substantial logs of the activities and used them to articulate a case to Dutch CERT officials who in turn, shared it with a security-conscious ISP in the Netherlands. The ISP immediately shut down the network and worked with the users who were infected to clean up their systems that had joined the botnet.

"In short, with such cooperative and knowledgeable people working with us, we found it was very easy to shut down this particular botnet," Nazario said.

FaceTime Security Labs is also hunting botnets and recently discovered a pair with nearly 150,000 attached hosts in its army of the undead.

"We had a tip-off from an individual known as RinCe," Chris Boyd, security research manager at FaceTime, told internetnews.com. "With his assistance, we were able to map the activities of these groups in great detail. From there, it was a case of analyzing all the files, making the right connections, finding compromised servers and gathering more data."

One of the botnets that FaceTime identified is allegedly being used to scan systems for personal financial information. Instant messaging (IM) is one of the attack vectors that the FaceTime-identified botnet is taking advantage of. The botnet recruited new zombies by way of an infected file transferred via IM.

"Once they had infected an end-user, they would deploy Remote Administration Server, a commercially available application produced by Famtech," Boyd explained. "Once onboard, this is hidden from the user and the machine is compromised. The attackers can do pretty much what they want with the PC.

"As long as the attackers are smart about what they're doing, the victim need never know they were infected."

The same lack of awareness was prevalent in the botnet that Arbor Networks smashed.

"We do not have any evidence that the users knew that their machines had been compromised and were being used in a botnet and that their machines were participating in these attacks," Nazario said.

The Dutch botnet busted by Arbor Networks was built differently than the IM-replicated zombies. According to Nazario, the botnet was built using software that scanned systems for commonly exploited Windows vulnerabilities. These include the vulnerabilities used in the Sasser and Blaster worms from a few years ago, and also the vulnerabilities used in last year's Zotob worm, among other attacks.

Though Zombie botnets can be detected and in some cases destroyed it's unlikely they can be totally exterminated as a security threat.

"Every time you shut one down, another will spring up in its place," FaceTime's Boyd said. "However, lots of Botnets are not that harmful - it's script-kiddies playing around, the payloads aren't particularly malicious, or they do something stupid and get shut down."

"The biggest problems are the remaining Botnets that actually do the serious damage - the password grabbers, the credit card stealers," Boyd added.

"These are the real hotspots, and it will be quite a challenge to tackle these problems as the exploits become more sophisticated."

Botnets and their army of linked zombies are likely to be just a fact of life in the modern networked world.

"I don't think it can be fully eradicated, at least not with current technology," Nazario said. "The foreseeable future, in which computers are networked together and software has flaws, means that remote attacks will continue to succeed and such threats will remain."

If you don't want your PC to join the ranks of the undead there are steps you can take to protect yourself. Boyd recommends that users always ensure that they are fully patched, running good firewall, antivirus and antispyware protection.

"And never, ever click a link blindly without questioning the source. One wrong click can be fatal, as we have unfortunately seen too many times."